diff --git a/detection-rules/link_single_file_share_unkown_sender.yml b/detection-rules/link_single_file_share_unkown_sender.yml
new file mode 100644
index 00000000000..af03b3f321e
--- /dev/null
+++ b/detection-rules/link_single_file_share_unkown_sender.yml
@@ -0,0 +1,61 @@
+name: "Link: Single file sharing link with minimal content from unknown sender"
+description: "Detects messages containing a single link to a free file hosting service with minimal body text from senders with limited history or recent contact patterns. The rule identifies potential malicious file sharing by analyzing link density, content brevity, and sender trust signals."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and length(body.current_thread.text) < 800
+  and length(body.previous_threads) == 0
+  and strings.icount(body.current_thread.text, "\n") < 20
+  and (
+    // the sender is in the recipients
+    sender.email.email in map(recipients.to, .email.email)
+    or all(recipients.to, .email.domain.valid == false)
+    or (
+      sender.email.domain.domain in $org_domains
+      and not coalesce(headers.auth_summary.dmarc.pass, false)
+    )
+  )
+  
+  // there are few distinct domains in links
+  and length(distinct(body.current_thread.links, .href_url.domain.root_domain)) < 3
+  
+  // the attachments are only images or there are no images
+  // using all ensures it continues to match without any 
+  and all(attachments, .file_type in $file_types_images)
+  
+  // contains a link to free_file_host/self_service_create_platform
+  and any(body.current_thread.links,
+          .href_url.domain.domain in $free_file_hosts
+          or .href_url.domain.domain in $self_service_creation_platform_domains
+          or .href_url.domain.root_domain in $self_service_creation_platform_domains
+  )
+  // only a single link to a free_file_host/self_service_create_platform
+  and length(filter(body.current_thread.links,
+                    .href_url.domain.domain in $free_file_hosts
+                    or .href_url.domain.domain in $self_service_creation_platform_domains
+                    or .href_url.domain.root_domain in $self_service_creation_platform_domains
+             )
+  ) == 1
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and not headers.auth_summary.dmarc.pass
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+  and not profile.by_sender_email().any_messages_benign
+tags:
+ - "Attack surface reduction"
+attack_types:
+  - "Malware/Ransomware"
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Free file host"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "Sender analysis"
+  - "URL analysis"
+id: "e560a504-23e3-5371-b71a-a8a694a359a6"